I have worked for a number of large companies and have found that different ones treat InfoSec differently.

One in particular were very keen to make sure IP was not leaked out of the company, they made sure all users were aware of the Green, Yellow , Red designations of data. Anything that was above Green was NOT to go to people outside of the company and Red and Yellow print outs were to be shredded.

But when it came to the security of the network and data on the network it was different. Users were allowed to copy files to USB keys with no encryption. Never once did they employ a company to test the security of the network, relying 100% on the automated scanning tool!

Do you guys find this is often the case with companies? They do a great job in some parts of InfoSec and not others?

Yes. I've found that most companies are pretty bad in general and the exceptions to the rule only do some of it well, like you said.

Infosec is hard to do right, really hard. I'm so glad I am on the offensive side of things now because its expensive, difficult to manage and hard to get budget approval for. I think that a lot of companies struggle to find that balance between functionality and security. I also think that a lof companies dont understand that there are ways to mitigate a lot of the risk and problem areas that they face, that might be much less expensive.

I would say 2% of the companies we deal with are proactive about security. It's clear that they have a solid enterprise security program, but we still can usually get in. It's just to hard to do well!!

cd1zz wrote:I would say 2% of the companies we deal with are proactive about security.

This. When overall security is poor, but there are a few tasks done really well, those are usually a direct result of audit findings and/or historic incidents (or someone with some pull saw a really convincing piece on CNN).

SecurityMonkey wrote:One in particular were very keen to make sure IP was not leaked out of the company, they made sure all users were aware of the Green, Yellow , Red designations of data. Anything that was above Green was NOT to go to people outside of the company and Red and Yellow print outs were to be shredded.

But when it came to the security of the network and data on the network it was different. Users were allowed to copy files to USB keys with no encryption. Never once did they employ a company to test the security of the network, relying 100% on the automated scanning tool!

You could argue they weren’t even doing the first part very well if anyone was capable of walking out the door, with the data on an unencrypted USB stick.

I am currently in a similar position. I've spent most of my time in the SMB realm as a consultant. Most of the SMBs that I have worked with are much better off security wise than the big enterprises. I think what makes this work is for one, their risk of data loss is much greater than that of a large organization. It could be the difference between closing the doors or keeping them open for another couple years. They simply don't make the revenue to afford any major fines or have their IP stolen and their business fly out the door to the competitors. For those that realize this, security means everything.

Now back to the large enterprises. At this time many I think are in a reactive state due to some breach or major incident. They are in clean-up mode and looking for the "magic bullet" to help them protect their data from "APTs." My problem with their approach to remediate these issues, is the fact they are not even practicing security 101. How could you take a 501 course when you haven't met the pre-reqs??? You can't even understand the basics but you want to jump right into the advanced skills. Ok you have the firewalls, the IDS/IPS in place and a switched network with a solid core. Lets ensure we are using those devices to the fullest extent before buying more crap that no one knows how to use.

Don't even get me started on outsourcing. My feeling is that, depending on the size of the environment, you should have at least one FTE per area. That FTE should be an expert level for that system. They should send the tasks to the outsourcing company to complete but at the same time they also understand and can perform the duties required. They are available on the higher level engineering side. They can focus on improving the architecture and allow the outsourced company to perform the day-to-day operational tasks.

To contrast that I have worked for a company that did things almost right… The only users with internet access were the office admin team (HR, Front Desk). The Developers and Analysts had no internet, no external email, no USB access and could not print!

I too deal primarily with SMB's, well mostly SB. The major issue I've seen recently is how poorly they deal with employee termination. I got a call from one THREE WEEKS after they let someone go for check stealing. She still had remote access and a working company email. I found out during a routine checkup. They said "Oh, don't bother with her computer, she doesn't work here anymore..."

She had been given significant access to many areas. My head spins at the harm that could have been wrought. I had a chat with the boss and hopefully enlightened him. At the very, very least, call me first before firing anyone so I can cut access and lock their account.

I know many larger companies with real HR departments handle this more professionally. Have any of you needed to step in and fix employee termination processes as part of an evaluation?